Two-factor authentication (2FA) is the most straightforward way for companies to drastically improve the security of their user authentication process. However, not all 2FA implementations are created equal. Thinking of quickly throwing together a workflow using SMS and calling it a day? Think again! Though popular, 2FA via SMS has many security issues and was actually deprecated by NIST in 2017. In this presentation, I dive into the technical details of the most common 2FA implementations and highlight security and usability trade-offs. You will learn how to develop a 2FA implementation strategy that will best serve your users.
17. The three authentication factors
1. Knowledge (something you know)
2. Possession (something you have)
3. Inherence (something you are)
18. The three authentication factors
1. Knowledge (something you know)
2. Possession (something you have)
3. Inherence (something you are)
19. The three authentication factors
1. Knowledge (something you know)
2. Possession (something you have)
3. Inherence (something you are)
20. Two factor authentication (2FA)
1. Knowledge (something you know)
2. Possession (something you have)
21. 2FA methods
1. SMS
2. Time-based One-time Passwords
■ e.g. Google Authenticator
3. Push notifications
■ e.g. Google Prompt
4. Universal 2nd Factor (U2F)
■ e.g. USB security keys
45. SMS: social engineering
“...our industry is
experiencing a phone
number port out scam
that could impact you…”
“...consider checking with
your bank to see if there is
an alternative to using
text-for-PIN authentication…”
53. “Victims of phishing are
400x more likely to be
successfully hijacked
compared to a random
Google user.”
2017 - https://research.google.com/pubs/pub46437.html